What is covered?
We will look at how to secure a Cisco switch using the port security feature.
Why Port security is required?
Port security is a feature in Cisco switches that help to control the network access of the devices.
For example :
In the following switch, Port no 1-5 are configured as VLAN 10 and port no 6-10 are configured as VLAN 20. The other ports are on the default VLAN 1.
VLAN 10 -> it is for the Sales team
VLAN 20 -> It is for the HR team
The reason to have a setup like above is to segregate the network into two. So the users on VLAN 10 cannot access resources on VLAN 20.
Now: A user Jack who belongs to the sales team comes to office and connects his laptop to port no 6 on the switch. At this moment he will not have access to his Sales team network but instead, he will have access to HR team network. This also means that he will have access to all the payslip details stored on the HR server which is connected to the port 10.
Although the above act was unintentional, what if Jack intentionally plugged his laptop into port 6 to access the pay slip server.
How to prevent unauthorized access to our network?
We can use the port security feature that is available in the switch. Since switches communicate based on the MAC address. We can configure the port to allow particular MAC address and block the rest.
Example: The HR team consists of 4 members. Each member will have one laptop and then there is the HR server. In total there are five network devices which will be connected to the VLAN 20 (port no 6-10 on the switch). We can assign one port to each user (port no 6-9 for the users ) and port no 10 for the server.
Port no 6 -> Configured to allow MAC address of the user 1
Port no 7 -> Configured to allow MAC address of the user 2
Port no 8 -> Configured to allow MAC address of the user 3
Port no 9 -> Configured to allow MAC address of the user 4
Port no 10 -> Configured to allow MAC address of the HR-SERVER
This configuration will make sure that the team members have access to the network. When someone accidentally or purposefully tried to connect to their network they will not be able to access any resource on the network.
To configure port securing on the switch, the port has to be configured as "access" port. Only then we can apply port security
Syntax:
Switch (config) # interface <interface type> <interface no>
Switch (config-if) # switchport mode access
Example:
Switch-HR (config) # interface fastethernet 0/0
Switch-HR (config-if) # switchport mode access
Need to configure more than one computer to access the same port, can this be done?
Imagine this scenario, there are two users from HR who work on different 12 Hrs shift. The sit in the same place and use the same port to access the network. Can we still apply port security on that port?
The Answer is yes WE CAN allow then access. We will configure the switch to allow these two MAC address.
Syntax : to allow more than one MAC address
Switch (config-if) # switchport port-security maximum <value>
Example:
Switch-HR (config-if) # switchport port-security maximum 2
How to add the MAC address to the ports?
There are two ways to add the mac address to the port.
Method 1 : We type the MAC address Manually
Syntax:
Switch (config-if) # switchport port-security mac-address <mac-address>
Example :
Switch-HR(config-if) # switchport port-security mac-address 1A:2B:3C:4D:5E:6F
Method 2 : Switch will learn the MAC address automatically. We will use the word 'Sticky' in place of the MAC address for the switch to learn the MAC address automatically.
Syntax:
Switch (config-if) # switchport port-security mac-address sticky
Example:
Switch-HR(config-if) # switchport port-security mac-address sticky
How the switch should react if an unauthorized user connects to the network?
If there is any violation of security takes place, the switch can be configured to do one of the following
- Shutdown
- Restrict
- Protect
Shutdown: If the port is configured to shut down during violation then they port becomes "Error Disabled" and the LED of the port is turned off. To turn the port back on we need to contact the Administrator
Restrict: If the port is configured to restrict during the violation, then frames with an unknown source MAC address are dropped. It also gives a notification or creates a log message that a security violation has occurred.
Note: The LED on the switch will be on. The unauthorized user will think that they are connected to the network, but when they try to access the resources on the network then they will not be able to access it.
Protect: If the port is configured to protect during the violation, then frames with an unknown source MAC address are dropped. It does not notify that a security violation has occurred.
Syntax :
Switch (config-if) # switchport port-security violation {protect|restrict|shutdown}
Example :
Switch -HR(config-if) # switchport port-security violation shutdown
CODING:
Configuring port security
Switch (config) # interface <interface type> <interface no>
Switch (config-if) # switchport mode access
Switch (config-if) # switchport port-security maximum <value>
Switch (config-if) # switchport port-security mac-address <mac-address>
Switch (config-if) # switchport port-security violation {protect|restrict|shutdown}
Switch (config-if) # switchport port-security
Verification:
Switch# show port-security
